[Bug 644632] Re: nssldap-update-ignoreusers needs to be configurable to ignore users
Jamie Strandboge
jamie at ubuntu.com
Tue Apr 19 14:04:17 UTC 2011
So in talking with Scott on irc, he brought up an important point-- it
is undesirable to add the additional nss_initgroups_okusers option if
upstream actually implements
nss_initgroups_ignoreusers/nss_initgroups_minimum_uid in nss-ldap proper
(see upstream bug http://bugzilla.padl.com/show_bug.cgi?id=341). I think
the best course of action is for people interested in fixing this bug to
comment in the upstream bug about how
nss_initgroups_ignoreusers/nss_initgroups_minimum_uid isn't always
enough, and there should be some sort of whitelist. At that point we can
evaluate the best way to move forward (and have a blessed config
option).
If they NAK it, we could theoretically still implement this feature in
nssldap-update-ignoreusers, with the understanding that nssldap-update-
ignoreusers would have to be updated when upstream implements
nss_initgroups_ignoreusers/nss_initgroups_minimum_uid and only remove
users in nss_initgroups_okusers from nss_initgroups_ignoreusers rather
than trying to generate nss_initgroups_ignoreusers on the fly each time.
** Changed in: libnss-ldap (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is a direct subscriber.
https://bugs.launchpad.net/bugs/644632
Title:
nssldap-update-ignoreusers needs to be configurable to ignore users
Status in “libnss-ldap” package in Ubuntu:
Confirmed
Bug description:
Binary package hint: libnss-ldap
# lsb_release -rd
Description: Ubuntu 10.04.1 LTS
Release: 10.04
# apt-cache policy libnss-ldap
libnss-ldap:
Installed: 264-2ubuntu2
Candidate: 264-2ubuntu2
Version table:
*** 264-2ubuntu2 0
500 http://us.archive.ubuntu.com/ubuntu/ lucid/main Packages
100 /var/lib/dpkg/status
261-2.1ubuntu1 0
500 http://us.archive.ubuntu.com/ubuntu/ jaunty/main Packages
Currently, nssldap-update-ignoreusers can only be configured to ignore
users over a certain numeric UID. It blindly includes all users less
than the configured UID. However, this breaks our setup. We have
some system users (namely www-data and www-priv) that are in groups in
LDAP. Thus, when you query the 'Subversion' group, you get back a
list that includes www-priv. However, if you try to query the groups
to which www-priv belongs, it fails to return the correct groups
because it ignores www-priv, thus breaking privileges because the
system then thinks www-priv is not in the Subversion group.
The only work around for now is to disable the run of nssldap-update-
ignoreusers.
I would work on a patch to facilitate configuring users to *not*
include in the ignore list if someone will commit to getting the patch
accepted: we don't really want to maintain our own branch of one file
in a package. :)
More information about the Ubuntu-sponsors
mailing list